Main Advisory Guidelines

8 Selected Topics

PDPC’s have selected topics for particular issues and domains on their website. These guidelines are meant to assist individuals and organisation’s understanding of the PDPA under those selected topics. These are guidelines and are not legally binding. We summarise below these selected topics for your reference only and are not legally binding.

The 8 selected topics are:

1. Employment
2. NRICs
3. Photography
4. CCTV
5. Anonymisation
6. Re-identification
7. Research & Analytics
8. Online Activities

Employment

Recruitment

• Job application – When an individual voluntarily provides his personal data in his job application to an organisation, it is deemed consent from the individual to the organisation for the collection, use and disclose the personal data for the purpose of assessing the job application. Unless for exceptions, the organisation has to seek the individual’s consent if the personal data is to be used for other purposes.
• Reference checks – Evaluative purpose exception allows the organisation to collect, use or disclose personal data without consent if the purposes are related to the job application. Such reference checks may include contacting ex-employers or other sources the organisation deemed reasonably necessary.
• BCI use – An organisation is not required to comply to PDPA if an individual provides Business Contact Information (BCI) for purposes other than solely personal purposes.
• Recruitment agencies – Unless there is an exception under PDPA applies, all recruitment agencies, head hunting companies or employment firms are subjected to informing applicants the purpose of their collection, use and disclosure of the individual’s personal data.

Employees

• Performance assessment – For evaluative purposes, an organisation may obtain information about its employee without the consent of the employee, if the information or personal data is necessary to determine if the employee is suitable, eligible or qualified for promotion, continued employment or termination.
• PDPA states that an orgnisation does not need the consent of their employees for the collection or disclosure of personal data for the purpose of on-going managing or terminating their employment relationship. Use of employee’s bank account to issue salaries or monitoring the use of computer network use by employees may fall under this exception. However, PDPA requires the organisation to inform their employees of the purposes even though their consent is not required.

NRICs

• With effect from 1 September 2019, organisations are generally not allowed to collect, use or disclose NRIC numbers, including copies of NRICs, unless required by law or if needed to verify the identities of the individuals to a high degree of fidelity.
• Organisations should not retain an individual’s physical NRIC unless such retention is required by law.
• The treatment for NRICs also applies to Birth Certification Numbers, Foreign Identification Numbers “FIN”, Work Permit Numbers as well as Passport Numbers.
• The treatment for retention of physical NRICs applies to all other identification documents containing NRIC numbers or other national identification numbers, e.g. driver’s license, passport and work pass.
• Based on organisation’s business and operational needs, it should look for alternatives to NRIC numbers, e.g., user-generated or organisation-generated identifiers, email address, mobile number or a combination of the information provided by the individual or partial of the NRIC number.
• Organisations that are allowed to collect NRICs numbers have to comply with PDPA.
• In the event when organisation may request to sight an individual’s physical NRIC and the information on it for the purpose of identifying the individual, with no intention to obtain control or possession of the physical NRIC, and does not retain the personal data, PDPC does not consider it as a collection of personal data on the physical NRIC.

Photography

• An image of an identifiable individual captured in a photograph is personal data. PDPA require consent from the individual to be obtained for the purposes of collection, use or disclosure of the personal data
• Exceptions to this Consent Obligation may apply, for e.g.:
  1. The photographer is acting in personal or domestic capacity, e.g., an individual taking pictures for personal use at a family gathering;
  2. Photo is taken at an event or location that is open to the public

CCTV

• Unless an exception rule applies, an organisation should provide notifications and obtain consent for the use, collection and disclosure of personal data contained in CCTV footage.
• Notices should be placed in a manner such that individuals have sufficient awareness that CCTVs are in operation. This include putting notices at entrance of a building or prominent places in a venue or vehicle.
• It is not required to reveal the exact location of the CCTVs. 
• PDPA does not prohibit an organisation to have their CCTVs collecting footages beyond its boundaries of its premises. However the organisation should consider the extent of coverage that is reasonable for the installation of the CCTVs.
• In general, an organisation is required to provide individual’s access request for CCTV footages of its personal data, unless such request falls under an exception of prohibition under PDPA.
• An organisation providing access by giving a copy of the CCTV footage have the option of charging the individual a reasonable fee. If the CCTV footage cannot be extracted easily and requires prohibitive cost to provide that footage, the organisation should grant the individual reasonable opportunity to examine the requested data in person, with appropriate masking (common types: solid, blur or pixelated) of the personal data of other individuals.

Anonymisation

• In the context of PDPA, anonymisation refers to the conversion of personal data into data that cannot be used to identify a particular individual, whether from the data itself, or from that data and other information to which the organisation has or is likely to have access.
• There are 7 examples of anonymisation provided in the guideline:
  1. Pseudonymisation – replacing personal idenrifiers with other references;
  2. Aggregation – displaying values as totals such that no individual value can identify an individual shown;
  3. Replacement – replacing values or a subset of the values with computed average or a number derived from the values;
  4. Data reduction – removing valudes that are not required for a purpose;
  5. Data suppression – banding or hiding value within a given range;
  6. Data shuffling – mxing up or replacing values with those of the same type so that information looks similar but unrelated to the actual ones;
  7. Masking – removing certain details while preserving the look and feel of the data.

Re-identification

• Re-identification is the process which anonymised data is combined with other information such that an individual can be identified and becomes personal data. An organisation can lower the risks or re-identification by:
  1. Limit disclosure to restricted personnel;
  2. Impose additional restrictions on the use and subsequent disclosure of the data;
  3. Implement processess to govern proper use of anonymised data, in line with restrictions such as access restrictions;
  4. Implementing processes and measure of the data destroyed soonest possible.
• Organisation should assess the risks of re-identification if it intends to publish or disclose the data set to another organisation.
• A case study of Netflix re-identification case shows re-identification risks data.

Research & Analytics

• Organisation that presents collection of personal data for the purpose of research and analysis should stick to its original purpose notified to the individual. Any deviation from the original purpose of research and analysis would need a fresh consent from the individual.

Online Activities

• IP address – An IP address can identify a computer or device on TCP/IP network. An IP address itself is not personal data unless an individual can be identified from the IP address and other available information such are recorded information, established fact and personal knowledge.
• Cookies – Web cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.The website, technically “remembers” what the user has browsed and can now present to the user customed web pages and information. Note that not all cookies collect data in which consent is not required. For cookies that do not collect personal data need, there is no need to request consent from user. But if personl data collection is involved, then the organisation has to inform and seek consent from the individual.
• Orgnisation that uses cookies for behavioural targeting needs to seek consent from the individual if personal data is collected and use.